Posted
by
samzenpus
on Sunday February 05, 2012 @10:58AM
from the still-here dept.

tsu doh nimh writes "Two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies. Internet Identity, a Tacoma, Wash. company that sells security services, found evidence of at least one DNSChanger infection in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities. Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan's DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web. The FBI is currently debating whether to extend the deadline or let it expire."

Unfortunately, proving that you are better than a company's security staff often involves committing a crime, which looks bad when you are applying for a job later in life. Not everyone can be an independent consultant like Kevin Mitnick.

Wow how wrong you are, you simply say to the corporation "I'm a security consultant want to watch me get through your security?" they say "yes", you say "pay me" and then show then how insecure their network truly is.

It's not as though there are any shortages of hacking stories out there, take the STARTFOR hack recently, 200 gigs of data moved off the network and no one noticed? Unencrypted credit card data? Those seem like newb mistakes to me so they obviously could have benefited from a security audit by

Wow how wrong you are, you simply say to the corporation "I'm a security consultant want to watch me get through your security?" they say "yes", you say "pay me" and then show then how insecure their network truly is.

Wow. it's that easy to get into a corporate network? After all, you might be employed by the competition to steal your corporate secrets.

If they had any brains, they would know that the CEO does not need access to individual customer's credit card numbers and only needs high level reporting data so getting his password off the monitor wouldn't reveal anything that isn't published on the company's press release page.

Wow how wrong you are, you simply say to the corporation "I'm a security consultant want to watch me get through your security?" they say "yes", you say "pay me" and then show then how insecure their network truly is.

Right, because the company is not going to ask to see your credentials before they pay you to attack their system. How do you get your credentials as a security consultant in the first place? How does anyone know that your time is worth paying for?

Wow how wrong you are, you simply say to the corporation "I'm a security consultant want to watch me get through your security?" they say "yes", you say "pay me" and then show then how insecure their network truly is.

Right, because the company is not going to ask to see your credentials before they pay you to attack their system. How do you get your credentials as a security consultant in the first place? How does anyone know that your time is worth paying for?

Your first few jobs are payment after proving what you can do. They put a special file on the server. They pay you if you can produce the file for them. After they pay you, you tell them what you did and how to fix it.

It's not hard to build a relationship of trust, work your way up with respectable clients, and having a degree in cyber crime doesn't hurt either.

Wow how wrong you are,they say "yes", you say "pay me" and then show then how insecure their network truly is.

Wow, you have no conception of how corporation politics work, do you? You simply say to the corporation "I'm a security consultant want to watch me get through your security?" and they say, "If you attempt to hack our systems we will prosecute you to the fullest extent of the law."

The only people in IT that know what they are doing are the "hackers".

Actually, if you think about it, the crackers have a much much easier time of it. They only have to find one security issue. The people in IT have to try and cover ALL security issues. Never mind the fact that it's impossible to cover all security issues, because IT staff don't always have access to source code, are not always expert programmers, and don't necessarily know the best security practices for all programming languages.

no, you've still got it simplified, you need to grab all the security problems on the network, in the order of most politically feasible to fix to least. One does not simply walk in to mordor. You pick on the little guys first, then the bigs get you axed for not "noticing" the stuff they knew was a problem.

The only people in IT that know what they are doing are the "hackers".

Yes and no. Hackers hack each other rather often, making the other hacker look "dumb".But then the other hack hacks the first one back.

Then which one is better than the other uhm?

Well none. This stuff is just too darn complex to figure out all the variables at any point in time. You can just focus on some thing and make them better, or break them.Or focus on the general issues and try to manage/detect/solve issues on a larger scale.

Or, of course, be a true genius (true being the keyword here), or redesign y

As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan's DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.

Maybe loss of service will finally motivate owners/managers to clean up the problem.

You're right. The only way that most of these companies or government agencies will even realize that they are infected/affected will be when some of their PC's stop working properly.

In my experience, they'll just poke at the non-functioning systems until they do something that makes them work again. Or until they run out of ideas and blame the "network card" or something and replace the hardware.

If they don't know that they're infected by now, they don't have the expertise (basic knowledge) to monitor their own systems.

They will just say "yep, that happens to computers sometimes" and move on. Never understanding that there is a huge hole in their security practices.

I'd recommend installing a different Trojan that points to another set of DNS-servers:) If you install an advanced trojan it should be able to keep out the competition as well, likely improving user experience on the computer.

Just re-configure the surrogate DNS servers to return the same reply to every query and point all traffic towards an FBI server hosting a web page that explains what's happened and why they are seeing the web page they are. May as well make mention of the fact that the DoJ has apparently been sending out email notifications followed up with snail mail version of these infections to the designated WHOIS abuse/tech contacts for IP ranges showing infected hosts, just in case they hadn't already figured it out for themselves. I don't think it'll take too long before someone in senior management figures out what that implies and goes for a walk over to the IT department with a clue-by-four.

They should have shut it down in the first place. It's wildly irresponsible and stupid for the FBI to have set up a replacement infrastructure.

Presumably the hosts that are compromised had a vulnerability. Leaving a working infrastructure in place has masked the signal not only that DNSChanger was installed, but that there might be an unpatched vulnerability. If they'd shut it down, staff would have looked at the boxes and identified that there was malware installed, then cleaned up the boxes in the process and fixed their patching process. Who knows what additional malware may have been installed in the interim using the same or other unpatched vulnerabilities, because the FBI meddled?

In addition, by taking the responsibility for maintaining a DNS infrastructure, they run the risk of contributing to another mass compromise if the replacement infrastructure is itself compromised or becomes the victim of a cache poisoning attack.

You mean the only operting system that can be remotely managed, has the business apps, supports Office (with outlook), has support from every IT professional in existence, can run on every PC ever made, wont break with an apt-get,... not so real OS?

Sorry the age of green screen CRT terminals died over 2 decades ago. Not one is going to switch to the IBM mainframe or a big unix box.

ha! Windows *doesn't* run on every personal computer, only those with x86 compatible processor. Plenty of *real* operating systems are portable. Windows doesn't have the support of IT professional in existence, plenty of IT people deal only with other platforms, like me. Outlook plus Windows stack has been responsible for billions of dollars in lost time and data from being a malware portal. It is such a farce that so many pretend that it is a real business or enterprise grade operating system.

After the deadline, for a few weeks, redirect all traffic from these machines to a page explaining the issueOr for some time before the deadline,randomly redirect some requests to a page explaining that the computer is infected and internet will not be usable from the deadline onwards.

After the deadline, for a few weeks, redirect all traffic from these machines to a page explaining the issueOr for some time before the deadline,randomly redirect some requests to a page explaining that the computer is infected and internet will not be usable from the deadline onwards.

Probably not really. The smalled fortune 500 companies, D.R. Horton and Seaboard both have over 3000 employees (and seaboard is up around 9k), with even that many computers it would be fairly hard to be 100% sure all of them are clean all the time, especially across multiple sites and all that.

You do realize that the penalty for surfing porn on government equipment is loss of government job? But thanks for helping spread the myth that government workers do nothing all day. In most cases, they have the worst jobs available, they have to put up with you, the unthinking public. You are the people who believe in JFK conspiracies, UFOs, that the Jews control everything, the Twin Towers was a CIA/FBI plot, etc.

any computers still infected with DNSChanger may no longer be able to browse the Web

There are over 250 IT departments that not only allow infected machines to remain on the network but allow users to continue to use them?!? The IT world has officially gone to shit. I'm going back to bed.

IT doesn't have time to check every PC for malware. They are just trying not to get fired as the CEO and bean counters look at them as wasteful cost centers that bring down the share price and offer no business value.

Most of the places I've worked have suffered from at least one serious security hole that has gone unaddressed due to either lack of comprehension, lack of skill or lack of funding; be it as obvious as everyone running as root/local admin or more "policy based" problems such as applying crippling restrictions on web browsing but having ways around the filters for "important" people (read: management) that inevitably find their way into the hands of the rest of the staff so that you might as well just turn o

Not that simple. Most use symantic endpoint which will conflict with mse. Users dont have admin rights and there is nothing they can do. Mse is forbidden with more than 10 users.

Besides the policy from the cio is to use only approved software he bought from his games of golf with slick salesmen. It costs money to hire compentent IT professionals and the bean counters hate this as the goal of the company is to raise its stock price and not keep computers clean.

Even if MSE isn't an option, the standard "Windows Malicious Software Removal Tool" that Microsoft makes available as part of every "Patch Tuesday" should be something IT departments are running on their systems.

+1 just pull the plug on the thing. Let the wannabe it managers it at these outfits RTFM and scratch their heads awhile since they dont properly monitor their network. Can we get a list of effected companies? May be in interesting day to short some stocks..

Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.

Stupid people kicked off the 'Net? What will become of us?

Sadly, since many of these systems are corporate machines, it means that their users are probably prohibited from patching them themselves. So if some PHB has failed to authorize IT to perform the fix, everyone else will suffer.

You poor simple douche. You did get part of your idiocy right - red heads aren't cool, they are HOT! The rest? I hear you whining, "I haven't managed to code any malware that will run reliably on Linux - aww, fuck it, there aren't enough Linux computers to infect anyway!"

Just run along and play with your self, you douche. Here's a magnifying glass and a pair of tweezers. And, don't be messing with that redhead down the street. She'll tear your fucking head off, and shit down your windpipe, 'cause she

Back in the mid nineties I had to deal with clueless users installing various crapletts on their systems. Screen savers, animated icons, animated cursors and games mostly downloaded from BBS's, AOL, Prodigy, Delphi etc. As soon as you cleaned up one outbreak there was another. Of course upper management was silent on the matter of installing the crapletts. Here we are fifteen years later and it's the same song. I'm sure the IT departments want to clean this up but upper management isn't providing the necessary support.

Probably because IT thinks everything is a "crapplett". Cygwin? crapplett. Chrome? crapplett. Dia? crapplett. If it's open source, it must be insecure, nevermind that our backend is WebLogic running on Red Hat.Once someone who's trying to do actual work gets their manager involved, then IT shoots back with "well, we have to certify that it's secure and that will take X months". Management gets sick of IT constantly getting in the way and tells them to bugger off.

Most of those issues are caused by one of two things: 1) Policies created by some moron who doesn't know anything about IT but read a white paper once so thinks they're God's Gift to compliance (my current employer blocks any website that uses a META Refesh because of some reason...security...compliance) or 2) IT staff with a God Complex. Neither are that hard to fix, but both seem endemic across the corporate and government world.

Smart IT departments deal with this with: "Show me that you need this program

The way they stated it is exaggerating, but the numbers are plausible. They said they found at least 1 infected computer in half of the Fortune 500 companies, plus one in 27 out of 55 govt agencies. That's a whole whopping 277 computers. Entirely possible. They probably just looked at the logs from the DNS servers.

... I'd rather have someone who won't cause problems than someone who will find solutions.

That sounds just like the douche bag admins who're so powerless/ineffectual/ignorant that they let half of Fortune 500 companies and gov't agencies continue to run malware long after they'd been warned about it.

Why are we letting the government give a pass to big businesses that simply can't secure their computers. We should be fining them for letting the malware infect their computers in the first place, rather then allowing all the malware to stay on the computers in the first place.

We are just perpetuating the malware/virus problem by giving companies a pass. They won't learn anything, they won't be more money in security since they will think: "Oh we just have to wait for the government to step in, then we